NSX-T IP Pool Error: "Range [{0}-{1}] cannot be updated because it has allocated IDs."

Products

VMware NSX

Issue/Introduction

IP Address Pools created for Host or Edge TEP's are showing up as realisation FAILED in the NSX GUI.

Environment

NSX 4.X

Cause

The issue occurs because the customer is attempting to modify the allocation range within the IP pool while IPs are already allocated from it. NSX-T IP Address Management (IPAM) does not allow updates to an IP range that is actively in use, leading to the error: "Range [{0}-{1}] cannot be updated because it has allocated IDs."

IP pool in the NSX-T Policy GUI:

Pool details using MP API from the NSX-T Manager :

{
"pool_usage" : {
"total_ids" : #,
"allocated_ids" : #,
"free_ids" : #
},
"subnets" : [ {
"cidr" : "#.#.#.#",
"gateway_ip" : "#.#.#.#",
"dns_nameservers" : [ ],
"allocation_ranges" : [ {
"start" : "#.#.#.#",
"end" : "#.#.#.#"
}, {
"start" : "#.#.#.#",
"end" : "#.#.#.#"
}, {
"start" : "#.#.#.#",
"end" : "#.#.#.#"
} ]
} ],
"check_overlap_with_existing_pools" : false,
"resource_type" : "IpPool",
"id" : "<UUID>",
"display_name" : "##-##-pool",
"tags" : [ {
"scope" : "policyPath",
"tag" : "/infra/ip-pools/<IP POOL NAME>"
} ],
"_create_time" : #######,
"_create_user" : "nsx_policy",
"_last_modified_time" : #######,
"_last_modified_user" : "nsx_policy",
"_system_owned" : false,
"_protection" : "REQUIRE_OVERRIDE",
"_revision" : #
}

Editing an in use IP range is not supported from the IPAM side. So when attempting to update the range, it fails at the time of realisation and MP subnet allocation ranges don’t get updated. Hence even though the policy intent gets updated, pool remains in FAILED state because realisation has failed.

This also leads to discrepancy on MP and policy side ranges of that same IpPool. This discrepancy can be seen in ranges shown in Policy GUI and MP API response.

Resolution

We need to restore pool to it’s original success state -

Get the MP side allocation ranges within the subnet of pool. This can be done in 2 ways(UI/API) -

From UI -

1. Go to Manager UI - > Ip Address Pools.
2. Under that, click on subnet count for that particular pool.
3. This gives IP ranges, CIDR etc information of all subnets belonging to that pool.
4. Collect IP Ranges details of subnet which caused pool to fail on Policy side.
5. Now go to Policy UI -> Ip Address Pools.
6. Edit the said pool’s subnet. Update the ranges with those collected in step 4.
7. Save the pool.

This should restore the pool to original state.

From API -

1. Use the following API to GET MP side pool details -

GET https://<manager-IP>/api/v1/pools/ip-pools/<mp-pool-id>

Response -
{
"pool_usage": {
"total_ids": ##,
"allocated_ids": #,
"free_ids": #
},
"subnets": [
{
"cidr": "#.#.#.#/##",
"dns_nameservers": [],
"allocation_ranges": [
{
"start": "#.#.#.#",
"end": "#.#.#.#"
}
]
}
],
"check_overlap_with_existing_pools": false,
"ip_address_type": "IPV4",
"resource_type": "IpPool",
"id": "<UUID>",
"display_name": "<DISPLAY NAME>",
"_system_owned": false,
"_protection": "REQUIRE_OVERRIDE",
"_create_time": ####,
"_create_user": "nsx_policy",
"_last_modified_time": ####,
"_last_modified_user": "nsx_policy",
"_revision": #
}

This has allocation ranges of the pool.

2. Now use these ranges to patch the subnet on policy side with following API -

PATCH https://<manager-IP>/policy/api/v1/infra/ip-pools/<policy-pool-id>/ip-subnets/<policy-subnet-id>

Payload -
{
"cidr": "#.#.#.#/##",
"allocation_ranges": [
{
"start": "#.#.#.#",
"end": "#.#.#.#"
}
],
"resource_type": "IpAddressPoolStaticSubnet",
"display_name": "<DISPLAY NAME>"
}